How to Prevent IT approval Workflows from getting Stuck or lost in the shuffle?

I'm in a mid-sized IT team (around 100-200 users across the org), and we're constantly dealing with approval workflows that just... disappear. Whether it's access requests, change approvals, new software...
we tried some automated solutions but nothing really worked as there's no clear tracking when multi-level approvals are needed (e.g., manager + security + finance).

How to handle this to keep things moving?

What processes or setups ensure approvals don't get lost?
Any ways to improve tracking and escalations without constant manual follow-ups?

https://redd.it/1ppnqlw
@r_systemadmin

Small org PSA: if you don’t have this “boring” documentation, you don’t have a system

I’ve walked into too many environments where everything “works” until the one person who knows it goes on vacation. This isn’t about fancy tooling. It’s about a handful of boring docs that turn tribal knowledge into something survivable.

If you only document one thing this week, make it the stuff that prevents panic.

The minimum set I think every shop needs:

1. Access map
Who can access what, where creds live, how to request access, and how to remove it. Include break-glass accounts and where MFA recovery lives.


2. Inventory that actually matters
Not a 600-line spreadsheet of every laptop. The things that can take you down: firewalls, switches, hypervisors, domain controllers, identity provider, backups, DNS, email, key SaaS, and who owns each.


3. “How to restore” backups
Not “we have backups.” Actual restore steps. What gets restored first, where the keys are, how long it takes, and the last time a restore was tested.


4. Top 10 runbooks
Password reset, VPN down, internet down, storage full, cert renewal, user offboarding, mailbox issues, printer hell, critical SaaS outage, and “website is down.” One page each is enough.


5. Change log for the scary stuff
Firewall rules, DNS changes, cert changes, routing, SSO. Just a running note of what changed, when, and why.


6. Incident cheat sheet
Who to call, where status pages are, where logs live, where to look first, and how to communicate internally. The goal is to reduce “what do we even do” time.



One practical tip: write it as if future-you is half asleep at 3am and slightly angry at past-you.

What’s the one doc/runbook you wish every environment had on day one?

https://redd.it/1ppubjd
@r_systemadmin

Godaddy Outage 12/18

Appears to be an issue going on with the GoDaddy nameservers. DNS failing to resolve to a number of domains.

https://redd.it/1ppugb5
@r_systemadmin

Trying to decide between a Samba, TrueNAS Community Edition, and NextCloud AIO for file storage

Hi everyone,


I am planning to set up a self-hosted file server for a small organization (\~15 employees) that will still allow for remote access. I'd like to use a free and open-source setup if at all possible. We'd need to be able to connect to it from Windows, Mac, and Linux computers. It would also be nice to be able to edit files simultaneously, though this isn't a must-have feature.

These are the three options I have in mind (though I'm open to others):

1. Samba share on a Linux desktop (Seems like the simplest option overall. I would plan to use Wireguard to grant remote users access to it.)

2. NextCloud AIO (I have an installation at home that has been working well. I like that it offers many of the same capabilities as our current cloud-based setup along with a friendly UI, along with the ability to share files publicly via a link. I was nervous initially about setting up port forwarding, but 2FA, brute force protection, and strong passwords can help mitigate this risk.)

3. TrueNAS Community Edition (I'd like to give TrueNAS a try, but it may be overkill for our use case. As with Samba, I'd plan to enable remote access via Wireguard.)

Any thoughts on which option might be ideal for us--along with your experiences of using these tools at a small business--would be much appreciated.

https://redd.it/1ppshai
@r_systemadmin

Best method to keep stored laptops up to date

At my org we have 10 or so Windows 11 Dell laptops that are kept on hand for emergencies/crisis situations. In the event of a situation, these laptops need to be available for immediate use, no waiting around for updates to install etc.

I'm wondering what the best method to keep these laptops up to date would be.

I was considering using a storage cabinet and using Wake on Lan to wake them for monthly/bimonthly updates.

Is this the best way, or is there a better alternative?

https://redd.it/1ppvsei
@r_systemadmin

Not taken seriously because of my age.

Sup guys I am 20 years old working a Jr. Sys Admin position. Half the time I'm dealing with customer support, the other half is networking and infrastructure projects. I have my main 3 CompTIA certs (A+, Network+, Security+) and a CCNA. Ever since my first office job I feel like no one takes me seriously. I expected this for interviews, so I would wear a wedding ring and clothes that generally made me look older than I am. Once I am actually in the workplace and start conversing with co-workers that ask me my age, I make the mistake of telling them. As soon as they hear how old I am suddenly they stop taking me seriously. Support becomes that much worse with people making unreasonable requests, escalating with my manager for any reason they can find, or straight up just ignoring me. I love being the guy that fixes shit and I don't belittle people who I know aren't tech-savvy but this shit is so unbearable. This is more a vent post but from now on I'm just going to tell people I'm 24-25 because of this. My resume is good for someone my age since I started helping out an MSP when I was 14 (after-school, weekends, or during summers). It might also be a medical workplace thing, other people my age in research assistant positions also go through the same bullshit.

https://redd.it/1ppzm76
@r_systemadmin

SCIM locked behind Enterprise plans - are you kidding me?

I've been going through our list of apps trying to get automated provisioning set up. You know, basic stuff - user gets hired, account gets created. User leaves, account gets nuked.

Except apparently that's not basic stuff anymore.

Every vendor I've looked at locks SCIM behind their Enterprise tier.

So the ability to automatically deprovision someone when they leave the company is a premium feature? Are we serious right now?

I don't need your "Enterprise collaboration suite" or whatever garbage you bundled to justify the price jump. I need to not have ex-employee accounts sitting around for months after someone's been fired. That's it. That's the feature.

And it's not even hard! SCIM is just API calls. My IdP is already making them. Your app just has to... receive them.

These vendors love talking about security. "We take your security seriously!" "Zero trust architecture!" Cool story. Then why are you making me manually CSV import/export users like it's 2005? Why do I have to remember which of our 50+ apps each person has access to when they leave?

You KNOW what happens without automated provisioning? Tickets. Spreadsheets. Forgotten apps. That contractor who left 8 months ago still has admin access.

But sure, tell me more about how committed you are to security while you paywall basic lifecycle management.

At this point I'm tempted to just avoid vendors that pull this crap. If they want to treat basic security features as a cash grab, maybe they don't deserve the business.

Anyone else dealing with this? What are you doing for apps that don't support SCIM at all - just accepting the manual hell? Has anyone actually gotten a vendor to back down on this without upgrading?

https://redd.it/1ppzytp
@r_systemadmin

Are you looking at keyboard response rates? Amazon is.

They found a laptop being controlled by N Korea by monitoring keyboard input rates.

https://www.tomshardware.com/tech-industry/cyber-security/north-korean-infiltrator-caught-working-in-amazon-it-department-thanks-to-lag-110ms-keystroke-input-raises-red-flags-over-true-location

https://redd.it/1pq34wy
@r_systemadmin

Advice (given and hopefully received)

So I have been unemployed for about 4 months now. It sucks very much and I am having a hard time mentally right now. But, the mental strain isn’t yours or anyone else’s provlem. It’s my own.

So I’d like to give out some advice that probably is common sense to everyone else but I am gonna say it anyways. Trust your gut, if you think you’re on the way out, find a job. Don’t stick around because you think “I can rebound and make this work”. You don’t owe the company anything. And be damn sure that they won’t think they owe you anything. Take care of yourself, and never think that you owe anyone anything.

As for advice needed: anyone got a good job lead? I live in Pennsylvania but at this points I’ll move to bumblefuck
Middle America to have a job again.

https://redd.it/1pq5qqt
@r_systemadmin

Here's how you make a ton of money rolling out "AI"



Last quarter I rolled out Microsoft Copilot to 4,000 employees.

$30 per seat per month. $1.4 million annually.

I called it "digital transformation."

The board loved that phrase.

They approved it in eleven minutes.



No one asked what it would actually do.

Including me.

I told everyone it would "10x productivity."

That's not a real number. But it sounds like one.



HR asked how we'd measure the 10x.

I said we'd "leverage analytics dashboards."

They stopped asking.

Three months later I checked the usage reports.

47 people had opened it. 12 had used it more than once.

One of them was me.

I used it to summarize an email I could have read in 30 seconds.

It took 45 seconds.

Plus the time it took to fix the hallucinations.



But, I called it a "pilot success."

Success means the pilot didn't visibly fail.



The CFO asked about ROI.

I showed him a graph.

The graph went up and to the right.



It measured "AI enablement."

I made that metric up.

He nodded approvingly.

We're "AI-enabled" now.

I don't know what that means. But it's in our investor deck.

A senior developer asked why we didn't use Claude or ChatGPT.

I said we needed "enterprise-grade security."

He asked what that meant.

I said "compliance."

He asked which compliance.

I said "all of them."

He looked skeptical.

I scheduled him for a "career development conversation."

He stopped asking questions.



Microsoft sent a case study team. They wanted to feature us as a success story.

I told them we "saved 40,000 hours." I calculated that number by multiplying employees by a number I made up.

They didn't verify it. They never do.



Now we're on Microsoft's website.

"Global enterprise achieves 40,000 hours of productivity gains with Copilot."

The CEO shared it on LinkedIn.

He got 3,000 likes.

He's never used Copilot.

None of the executives have.



We have an exemption.

"Strategic focus requires minimal digital distraction."

I wrote that policy.



The licenses renew next month. I'm requesting an expansion.

5,000 more seats.

We haven't used the first 4,000.

But this time we'll "drive adoption."

Adoption means mandatory training.

Training means a 45-minute webinar no one watches.

But completion will be tracked. Completion is a metric.

Metrics go in dashboards. Dashboards go in board presentations.

Board presentations get me promoted.



I'll be SVP by Q3. I still don't know what Copilot does.

But I know what it's for. It's for showing we're "investing in AI."

Investment means spending. Spending means commitment.

Commitment means we're serious about the future.

The future is whatever I say it is.

As long as the graph goes up and to the right.


\--From Peter Gimus' post on X: https://x.com/gothburz/status/1999124665801880032

https://redd.it/1pq7ush
@r_systemadmin

What was the happiest point in your IT related career?

When I no longer had to check the ticketing system. I will occasionally still put in tickets but nothing will ever be assigned to me.


inb4 "retirement"

https://redd.it/1pqes74
@r_systemadmin

Edge 143 blocks SSO for domain hosted apps

Edge 143 has removed Intranet Zone auto logon functionality that has existed since the dawn of Internet Explorer. Chrome 143 as well.

So now if you go to an Intranet zone site instead of passing through and automatically logging you in with your Domain Credentials it will require you to manually enter your credentials.

Although it is supposed to “prompt” for local access, I have only seen the prompt on Chrome and usually only for a second. Otherwise it is automatically blocked.

Microsoft released an emergency ADMX GPO setting that lets domains opt out for 2 more versions until 146.

You can add every single domain using any kind of SSO to another GPO setting but that requires a lot of effort in large multi domain organizations.

They released this just before Christmas so as to create a massive amount of P1’s right when everyone is on vacation.

Just posting this as an FYI if anyone starts getting calls that Citrix, RDS, custom domain apps, anything that uses domain authentication just stops functioning.

Luckily I caught this a few days ago and was able to do 13 emergency changes yesterday for 14 domains that I manage to do the opt out and then we get the fun task of tracking down thousands of SSO webservers that need to be individually added to each domain.

Gotta love Microsoft. They definitely keep me employed.

https://redd.it/1pqeo9p
@r_systemadmin

Group-based permissions in Exchange Online

Hi all,

I wanted to move from user-based to group-based permissions in Exchange Online for shared mailboxes. Since I use security groups for other permission purposes and I wanted to use them for Exchange Online as well. However, I learned that you need to mail-enable them (so I create an extra email address per security group) and then assign them via powershell to the shared mailbox.

It seems a bit messy to create an extra email address just for the sole purpose to assign permissions. How do you handle it in your environments?

https://redd.it/1pqgpi8
@r_systemadmin

Weekly 'I made a useful thing' Thread - December 19, 2025

There is a great deal of user-generated content out there, from noscripts and software to tutorials and videos, but we've generally tried to keep that off of the front page due to the volume and as a result of community feedback. There's also a great deal of content out there that violates our advertising/promotion rule, from noscripts and software to tutorials and videos.

We have received a number of requests for exemptions to the rule, and rather than allowing the front page to get consumed, we thought we'd try a weekly thread that allows for that kind of content. We don't have a catchy name for it yet, so please let us know if you have any ideas!

In this thread, feel free to show us your pet project, YouTube videos, blog posts, or whatever else you may have and share it with the community. Commercial advertisements, affiliate links, or links that appear to be monetization-grabs will still be removed.

https://redd.it/1pqhesh
@r_systemadmin

Any Success Stories for Teams/Zoom Use in RDS or Similar?

The noscript really says it all. We normally go with full laptops/desktops with Zoom and Teams installed, but we need to trial some new solutions for the remote workforce. Some quick googling shows it's more feasible for VDI but I'm hoping for some feedback from the group.

https://redd.it/1pqc324
@r_systemadmin

First Time SysAdmin of an OLD System - Any tips?

Hi everyone,

I've managed to land a position as an IT Specialist (It's actually a SysAdmin position) at a company close to home. Huge win for me, as I'm nearly finished with my Bachelors in CS. I am the entire IT team. We have some remote IT members who work for the company that owns ours, but most of the time it's just me working on things.

I come to you all asking for tips, insights, and suggestions of what to learn. Our environment is very antiquated. It's primarily Microsoft Access, Infor FourthShift, and lots of lots of Excel. Most of the stuff we use here is older than I am.

I'm the 3rd IT person they've had, and the only one with any schooling and development experience. The first admin worked here for like 4 decades, and built everything, but never updated it. The 2nd admin was pretty bad, used AI to rewrite every bit of SQL, VBA, and any other code he had to touch. Most of it has broken.

We have lots of old equipment, but we did complete a migration to Windows 11 in about a week and a half, so end user machines and servers are all new at least. Peripherals, like Zebra printers, scanners, office printers are all like 15-20 years old. Most of the processes in this company involve physically printing a report, just to scan it back into the system, and then shred the paper.

What do you wise System Administrators suggest and recommend? I want to do well in this role. There's lots of room for improvement, but they seem to listen to my suggestions, and are willing to make changes.

https://redd.it/1pqmf4h
@r_systemadmin

Open Source RemoteApp replacement?

Hello, I was wondering if anyone knows of a good open source RemoteApp alternative?

Specifically I want the functionality to share an app installed on a windows machine over some kind of remote protocol, where clients can login and get access to only the specific app on the server. Are there any open source software that provide that functionality without having to rely on RDS at any point in the chain?

https://redd.it/1pqmz9f
@r_systemadmin

Just had a sales rep try to upsell me while their platform is down globally.

I’m currently staring at a status page that’s been all red for 45 minutes. My inbox is filling up with "Is the email gateway down?" tickets from clients.

My phone rings. I answer it because I have a P1 ticket open with their support and I thought it might finally be an engineer calling back.

Nope.

"Hi, this is Josh. I saw you've been a partner for a while and wanted to see if you'd be interested in seeing a demo of our new analytics dashboard."

I actually sat there in silence for a few seconds. I asked him, "Are you aware that your entire US-East cluster is currently offline?"

He hesitated and said, "Oh, I heard there might be some latency, but the dashboard I'm selling actually helps visualize uptime!"

I didn't even have the energy to argue. I just hung up.

The disconnect between the sales floor and the NOC at these massive vendors never ceases to amaze me.



https://redd.it/1pqomk3
@r_systemadmin

CLOUDFLARE MY LIFE IS YOURS PLEASE

I guess it's fine that they keep things up and running 97% of the time, but man when it rains it pours.

Bunch of clients complaining about sudden weird behavior.

"Can't take inbound calls, but outbound is fine."

Firewall looks good.

Switches have had work done recently, but nothing that would break anything.

SIP trunk is showing registered???

Carrier not receiving replies to challenges though.

Carrier support whispers the magic words: "Make sure you're using a public DNS"

"Oh, I am, I know I am cause I always use google and cloudflare... let me just check my configuration."

There it is. Primary DNS server set to 1.1.1.1

I swap it with the secondary 8.8.8.8 and phones start working.

It's always DNS... always has been...

https://redd.it/1pqoof2
@r_systemadmin

Recommendations for Office 365 backups?

I have a small biz client asking for an Office 365 backup solution.



It needs to cover the following: Exchange Online, OneDrive, SharePoint Online and Teams. This would include things like permissions, calendars, mailbox-rules, etc etc.



Backups do not need to cover the more Azure oriented items (PC's in Intune/Defender/etc, VM's, SQL, and so forth), but ideally can fully restore a user-account. Worst-case would be creating a new user account and running a restore from a dead user to that account.



We should also be able to export the above services outside of O365 (eg ExO -> PST), and do so with some granularity (individual files/folders in SPO, folders or even emails in ExO, etc etc)



My go-to has been **afi.ai** for a while. However, it's also been a while since I've taken anything else out for a spin.



I believe the client would be open to both on-prem and cloud-based solutions. They do not have a plethora of on-prem servers, and do not have on-prem AD. Any on-prem solution would likely mean new hardware. They are bandwidth-limited on their upstream. Cost will be a factor.



Any recommendations?

https://redd.it/1pqq54m
@r_systemadmin

office.com changed again....

I used to be able to pin the admin button on the left pane but now its all just ai bs... Could they be anymore stupid....

https://redd.it/1pqt4fz
@r_systemadmin